[ppml] IPv6 flawed?

[Cort Buffington]

Concerning the example organization we're talking about (which is  
typical of the large healthcare networks we have encountered -- for  
some reason healthcare seems to really struggle): Their problems are  
organizational, not technical. They will not be solved with an  
network layer protocol.

On Sep 17, 2007, at 1:51 PM, Ted Mittelstaedt wrote:

>
>
>> -----Original Message-----
>> From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On  
>> Behalf Of
>> michael.dillon at bt.com
>> Sent: Monday, September 17, 2007 11:15 AM
>> To: ppml at arin.net
>> Subject: Re: [ppml] IPv6 flawed?
>>
>>
>>
>>> Firewalls are common and plentiful in that WAN/LAN all run by
>>> these different fiefdoms and they all use large access lists
>>> with hard-coded host numbers in them.  There is really not
>>> one single person - in my humble opinion - who knows all
>>> about all applications on the network and all servers and who
>>> all is supposed to be using them.  The typical MO to setup a
>>> worker bee in the organization can involve discussions with
>>> tens of different admins to get access to all the stuff the
>>> person needs.
>>
>> And every single one of those devices needs to be CHANGED in order to
>> convert it to IPv6. At the time of conversion (or preferably  
>> during the
>> audit preceding conversion) it makes sense to try and get some  
>> control
>> over these ACLs to facilitate renumbering.
>>
>
> I agree.  However I think you missed the part where I said that the
> network is organized - a misuse of the term organized if I ever
> heard of one - into a set of fiefdoms, and the powers that be
> like it that way.
>
> What this means is that UNLESS the board of directors empowers
> the CIO to tell every last group in the organization that they
> are going to do it this way or the highway, then a conversion is
> simply going to muck it up worse than it is now.  You think it is
> bad when 2 IPv4 networks use back-to-back NAT to communicate within
> that org - just wait til you have 2 fiefdoms switched to IPv6
> and a fiefdom that is used to connect the 2 that refuses to
> switch to IPv6, and the 2 IPv6 fiefdoms now want to send IPv6
> to each other.
>
> I very strongly suspect with LHS that if they ever had to go
> to IPv6 to get internet connectivity, that they will just put in
> proxies.  I fully expect that their internal net will be IPv4
> long after most companies have switched.  Forunately, my doctor
> doesen't work in that company. ;-)
>
>> Of course, one solution is to not convert certain devices to IPv6 but
>> just live with the IPv4 stuff that works. When those networks become
>> isolated IPv4 islands in an IPv6 network, it will never again be
>> necessary to renumber the IPv4 interfaces.
>>
>>> For the people that talk about IPv6 renumbering like you just
>>> flip a switch and change the prefix in the router, may I
>>> humbly suggest you are out of your fricking mind.
>>
>> The people who tell you to renumber this way, also point out how they
>> planned and prepared from the time they were first installing their
>> network. The real lesson, is not that IPv6 networks can be  
>> renumbered at
>> a flick of a switch, but that building renumberability in from the
>> start, makes it very easy to do. Also, note that IPv6 requires two
>> switch flicks. One to turn on the new prefix, and the other to  
>> turn off
>> the old prefix after a delay of days or weeks.
>>
>> During those interim weeks, you could probably renumber the firewalls
>> one by one.
>>
>
> At least half the firewalls simply aren't even required.  They exist
> for political reasons - to justify someone's position in the company.
> A doctor group in that company may have their own IT group because
> they always had one, or because they are primma-donnas who think the
> normal desktop support people aren't fast enough, or because they
> think it's a badge of status like a marked parking spot, or because
> they think they make so much money for the company that they can
> do what they want, and they just like sticking it to authority.
> And I couldn't renumber those firewalls because I would have to
> convince every admin in charge of them that renumbering was  
> necessary -
> and if they didn't understand IPv6 they likely would not do it.
>
> Seriously, if LHS came to me and asked me to organize a renumber I
> would not do it unless I got 20 million bucks up front that would
> be forfeited to me if they did not uphold their end of the contract -
> and I would have written in to the contract that I could tell
> any IT person or user in the company that they had to follow my
> IT guidelines or figure out how to do their jobs without benefit
> of connectivity to the network.  No, on second thought, make that
> 200 million bucks.  It would have to be large enough to be
> noticed by the stockholders.  20 million is pocket change for that
> company.
>
> Without that kind of big stick, that network could not ever be
> organized. Even the CEO
> and chairman of the board of that company don't have that big of
> a stick.
>
>> IPv6 is *NOT* just IPv4 with more bits. It works differently and
>> seemingly small differences have larger knock-on effects.
>>
>
> For companies like LHS that are 2 steps away from network anarchy,
> IPv6 will come just like all other network upgrades on that network
> come - in bits and pieces, here and there on their network.  It will
> not be organized.  But it will serve to perpetuate the beaucracy
> and the people who have manufactured positions in that org for
> themselves will continue to have their positions.
>
> Ted
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to the  
> ARIN Public Policy
> Mailing List (PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN  
> Member Services
> Help Desk at info at arin.net if you experience any issues.
>

--
Cort Buffington
Assistant Director for Technical Services
The Kansas Research and Education Network
cort at kanren.net
Office: +1-785-856-9800 x301
Mobile: +1-785-865-7206